Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 445
  • Last Modified:

hash algorithm

i have been reading about hash algorithms and i am a little confused.  to my understanding, you take a message and then run it through this 'hash calcualtor', this will then spit out a number that cannot be duplicated by any other message.  but my question is, does this alter the original message or is this new number just sent along with the message, to prove that it hasn't been altered. so that at the other end, the recipient can run the same message through the 'hash calculator' and then compare the numbers.
0
jeffreybisko
Asked:
jeffreybisko
  • 3
1 Solution
 
Jason_DeckardCommented:
Jeff,

The result of a hash, called a 'digest', cannot be reversed.  This means sending the digest in lieu of the plain text message would not do the recipient much good (he could not derive the original message).  So, your second guess was correct - the digest is sent along with the plain text message to help verify the integrity of the message.

There's more to this story, however.  If I send you a plain text message with a digest attached to it, how can you be sure that someone did not intercept the message, alter it, create a new digest of the altered message and replace my original digest?

Encryption plays a role in protecting the digest.  Asymmetric encryption to be precise.  In asymmetric encryption, a pair of keys are used.  One key is public (anyone can know it), and the other is private (only the owner of the pair of keys should know the private key).  In asymmetric encryption, a message encrypted with one key in the pair can only be decrypted by the other key in the pair.  For example, if you encrypt a message with my public key, only someone with my private key can decrypt it (hopefully, I'm the only one with my private key!).

Digital signatures use both one-way hashes and asymmetric encryption.  Here's an example:

1) I write a message to you.
2) I create a digest of the message.
3) I encrypt the digest with my private key.
4) I send the plain text message to you, with the encrypted digest attached (the 'signature').
5) You create a digest of the message you received.
6) You decrypt my signature (the encrypted digest) with my public key and compare the digest you created to the digest from my signature.

If both digests match, you can be assured the message has not been tampered with.  Additionally, since you were able to decrypt the signature with my public key, you know that only someone with my private key could have signed the message.  Since I am the only person with my private key, you know that I am the one who signed it, and I cannot deny signing it.

I would like to make a few points about digital signatures, although they are outside the scope of your question:
-Confidentiality is not achieved.  Anyone can read the message I sent you, even though it is signed.
-If my private key is compromised, all is lost.
-You have to be reasonably assured that the public key you think is mine is in fact my public key (in other words, you need to be certain someone hasn't given you their key, but claim it is mine).  Digital certificates help solve the problems associated with exchanging public keys.

Hope that helps,
Jason Deckard
0
 
Jason_DeckardCommented:
Jeff,

The result of a hash, called a 'digest', cannot be reversed.  This means sending the digest in lieu of the plain text message would not do the recipient much good (he could not derive the original message).  So, your second guess was correct - the digest is sent along with the plain text message to help verify the integrity of the message.

There's more to this story, however.  If I send you a plain text message with a digest attached to it, how can you be sure that someone did not intercept the message, alter it, create a new digest of the altered message and replace my original digest?

Encryption plays a role in protecting the digest.  Asymmetric encryption to be precise.  In asymmetric encryption, a pair of keys are used.  One key is public (anyone can know it), and the other is private (only the owner of the pair of keys should know the private key).  In asymmetric encryption, a message encrypted with one key in the pair can only be decrypted by the other key in the pair.  For example, if you encrypt a message with my public key, only someone with my private key can decrypt it (hopefully, I'm the only one with my private key!).

Digital signatures use both one-way hashes and asymmetric encryption.  Here's an example:

1) I write a message to you.
2) I create a digest of the message.
3) I encrypt the digest with my private key.
4) I send the plain text message to you, with the encrypted digest attached (the 'signature').
5) You create a digest of the message you received.
6) You decrypt my signature (the encrypted digest) with my public key and compare the digest you created to the digest from my signature.

If both digests match, you can be assured the message has not been tampered with.  Additionally, since you were able to decrypt the signature with my public key, you know that only someone with my private key could have signed the message.  Since I am the only person with my private key, you know that I am the one who signed it, and I cannot deny signing it.

I would like to make a few points about digital signatures, although they are outside the scope of your question:
-Confidentiality is not achieved.  Anyone can read the message I sent you, even though it is signed.
-If my private key is compromised, all is lost.
-You have to be reasonably assured that the public key you think is mine is in fact my public key (in other words, you need to be certain someone hasn't given you their key, but claim it is mine).  Digital certificates help solve the problems associated with exchanging public keys.

Hope that helps,
Jason Deckard
0
 
Jason_DeckardCommented:
Double post.  Sorry about that :)
0
 
PaulBobbyCommented:
You are not confused at all. You are right when you say that the 'hash value' accompanies the original message.

The recipient takes the original messages, computes a hash value and compares it to yours.

If they match, ta da, the original message did not change enroute.

Now of course that's quite simplistic, there are quite a few issues, which you may have read about, and which may lead to confusion.
0
 
jeffreybiskoAuthor Commented:
sorry it took me so long.  i have been swamped.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now